SpeedCommander 10 Beta 4
 

how does this Asprotect work??? if you are tracing to the oep... you are in the aspr code again... and if you dump at the real oep and you open the dump with debugger you are in the aspr code instead the OEP??????????????????????????????????????

here is the oep and stolen bytes:

00459876 55 PUSH EBP
00459877 8BEC MOV EBP,ESP
00459879 6A FF PUSH -1
0045987B 68 F8944700 PUSH SpeedCom.004794F8
00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3
00459885 50 PUSH EAX
00459886 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0045988C 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
00459893 83EC 68 SUB ESP,68
00459896 53 PUSH EBX
00459897 56 PUSH ESI
00459898 57 PUSH EDI
00459899 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
0045989C 33DB XOR EBX,EBX
0045989E 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004598A1 6A 02 PUSH 2

Stolen bytes worked perfect, but is IAT for Beta 4???

i have fixed iat in other way

Beta 4 has a Asprotected dll (i think for registration).
i can't unpack dlls... not enough knowledge

To Markus
the Iat u uploaded is the same one I
uploaded, I couldn't see the difference.

sorry, was my fault... here's my IAT

to Markus
Thanks markus my Iat is shorter than it should be, so I removed it, I didn't check it,
I was working on another program, and wanted to help you get started. I always
know that programs with mfc tend to be
larger than 1500 ,but that slipped my mind, so please accept my appology.

I will check the program once I finish the tough program that I am working on.
{Note}
your Iat isn't correct it is missing some .

seams odd i came up with

00459D2D 55 PUSH EBP
00459D2E 8BEC MOV EBP,ESP
00459D30 6A FF PUSH -1
00459D32 68 88474700 PUSH dumped_.00474788
00459D37 68 B69A4500 PUSH <JMP.&msvcrt._except_handler3> ; Entry address
00459D3C 50 PUSH EAX
00459D3D 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00459D43 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00459D4A 83EC 68 SUB ESP,68
00459D4D 53 PUSH EBX
00459D4E 56 PUSH ESI
00459D4F 57 PUSH EDI
00459D50 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00459D53 33DB XOR EBX,EBX
00459D55 895D FC MOV DWORD PTR SS:[EBP-4],EBX
00459D58 6A 02 PUSH 2

in the SpeedCommander.exe unless you were doing another
exe

as for the MxCmn50.dll the oep is 641521CB
to set a bp on that do a he 641B1001 then do your
normal tracing etc for aspr programs, after about the 25th
memory access violation ctrl-g to goto the oep set a bp
and your set

iat for SpeedCommander

mtw:

Unless I'm going blind in my old age, which is a distinct possibility, the only difference I see between your dissassembly and britedream's are the lines:

0045987B 68 F8944700 PUSH SpeedCom.004794F8
00459880 68 969B4500 PUSH SpeedCom.00459B96 ; JMP to MSVCRT._except_handler3

vs.

00459D32 68 88474700 PUSH dumped_.00474788
00459D37 68 B69A4500 PUSH <JMP.&msvcrt._except_handler3> ; Entry address

Which suggests the ordinal for the exception handler and the handler itself are at different locations in his version. Maybe you are working with different versions.

Regards,

Yes i know its the locations that are different its msvc6 code
with mfc so the starup is the same, just wondering if thats
10 beta 4 , which is what i down'd from there site why the locations and oep are different.. just wondering which one
the others are takin apart.

btw heres the iat for the dll

sorry for my question, but what is the line "00459885 50 PUSH EAX" good for, if EAX hasn't been accessed before?